ansible (1.7.2+dfsg-2+deb8u2) request for testing
Greetings,
This is a request for testing of a proposed ansible update for jessie.
I have prepared an update of Ansible (version 1.7.2+dfsg-2+deb8u2) which
fixes several issues. This is the changelog entry for the upload I have
prepared:
ansible (1.7.2+dfsg-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2015-3908: Fix potential man-in-the-middle attack associated with
insusfficient X.509 certificate verification. Ansible did not verify that
the server hostname matches a domain name in the subject's Common Name (CN)
or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate.
* CVE-2015-6240: Fix a symlink attack that allows local users to escape a
restricted environment (chroot or jail) via a symlink attack.
* CVE-2018-10875: Fix potential arbitrary code execution resulting from
reading ansible.cfg from a world-writable current working directory. This
condition now causes ansible to emit a warning and ignore the ansible.cfg
in the world-writable current working directory.
* CVE-2019-10156: Fix information disclosure through unexpected variable
substitution. (Closes: #930065)
-- Roberto C. Sanchez <roberto@debian.org> Fri, 06 Sep 2019 08:01:41 -0400
I have done my best to test each individual change/fix, in particular
making use of upstream's unit tests where possible. However, given the
scope of changes and the fact that some of the changes required a fair
amount of backporting to make them suitable for this version of Ansible,
requesting some testing prior to upload seems prudent. The packages can
be downloaded here:
https://people.debian.org/~roberto/
The .changes and .dsc files are signed with my key which is in the
Debian keyring.
Unless there are reports of problems with this update, I intend to
upload on Monday, 16th September.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: